Controllers checklist report

• 5: Not yet implemented or planned
• 0: Partially implemented or planned
• 9: Successfully implemented
• 17: Not applicable

RED: not implemented or planned

Suggested actions

You should:

• Check that consent is the most appropriate lawful bases for processing.
• Make the request for consent prominent and separate from your terms and conditions.
• Ask individuals to positively opt in.
• Use unticked opt-in boxes or similar active opt-in methods.
• Use clear, plain language that is easy to understand.
• Specify why you want the data and what you’re going to do with it.
• Give granular options to allow individuals to consent separately to different types of processing wherever appropriate.
• Name your business and any specific third party organisations who will rely on this consent.
• Tell individuals they can withdraw consent at any time and how to do this.
• Ensure that individuals can refuse to consent without detriment.
• Don’t make consent a precondition of service.

Guidance

Guide to the UK GDPR - Consent, ICO website

Suggested actions

You should:

• Keep a record of when and how you got consent from the individual.

• Keep a record of exactly what they are told at the time.

• Regularly review consent to check that the relationship, processing and the purposes have not changed.

• Have processes in place to refresh consent at appropriate intervals, including any parental consents.

• Consider using privacy dashboards or other preference management tools as a matter of good practice.

• Make it easy for individuals to withdraw their consent at any time and publicise how to do so.

• Act on withdrawals of consent as soon as you can.

• Don’t penalise individuals who wish to withdraw consent.

If current consent don’t meet the UK GDPR’s high standards or is poorly documented, you will need to;

• seek fresh UK GDPR-compliant consent; or
• identify a different lawful bases for your processing (and ensure continued processing is fair); or
• stop the processing.

Guidance

Guide to the UK GDPR - Consent, ICO website

Suggested actions

You should:

• continue to register with the ICO, if your annual registration is due before May 2018; and then
• following May 2018, or when your current annual registration expires, refer to our guidance to determine what you need to pay.

Guidance

Read our guide to find out what you need to pay after May 2018.

Guide to UK GDPR - Guide to Data Protection Fee, ICO website

Suggested actions

You should:

• designate responsibility for data protection compliance to a suitable individual;
• support the appointed individual through provision of appropriate training;
• ensure there are appropriate reporting mechanisms in place between the individual responsible for data protection compliance and senior management;
• register the details of your DPO with the ICO; and
• document the internal analysis carried out to determine whether or not a DPO is to be appointed, unless it is obvious that your organisation is not required to designate a DPO.

Guidance

Guide to the UK GDPR - Data protection officers, ICO website

Suggested actions

You should:

• clearly set out your business’s approach to data protection and assign management responsibilities;
• ensure you have a policy framework and information governance strategy in place to support a positive data protection and security culture which has been endorsed by management;
• assess and identify areas that could cause data protection or security compliance problems and record these on your business's risk register;
• deliver training which encourages personal responsibility and good security behaviours; and
• run regular general awareness campaigns across your business to educate staff on their data protection and security responsibilities and promote data protection and security awareness and compliance.

Guidance

Think Privacy training, ICO website

GREEN: successfully implemented

Not applicable